Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
I recently had occasion to transport some patient diagnostic data of a family member from one doctor to another, so I examined the data on the disk to see what format it was. Basically, *all of the data was incorporated into a compressed (Windows) executable file*.!?! This strategy of delivering patient data is so wrong on so many levels that I don't even know where to start. 1. The *only* non-security-researcher way to examine the data is to *execute an unknown .exe file*. Can you say malware? Can you say OPM hack? Can you say DNC hack? Can you say ransomware for a doctor's office or an entire hospital? It should not be necessary to view patient data within a clean air-gapped virtual machine which must be restarted from scratch every time. 2. Security by obscurity is no security at all. Embedding data within an executable file is not secure from anyone with the proper tools. If by any chance you can actually get access to the data, it isn't encrypted at all. 3. The idea of embedding patient data into programs that will be obsolete in 2 years is sheer insanity. This means that normal bitrot will make these data inaccessible decades before the patient no longer needs them. Patient data needs to be accessible via open source viewer programs that can continue to be updated and used for multiple decades. 4. The (unencrypted) data also included live *video* of the patient, which was not disclosed to the patient at the time of the diagnostic procedure. I can't even begin to guess how many privacy regulations were broken when gathering, storing and distributing these video data. Bottom line: No wonder hospitals and doctor's offices are so easily hacked and patient records either disclosed or held for ransomware (or both), with these insecure-by-design types of products and procedures.
Elliot Hannon, *Slate*, 15 Dec 2016 Agency in Charge of U.S. Election Standards and Best Practices Reportedly Also Got Hacked http://www.slate.com/blogs/the_slatest/2016/12/15/agency_in_charge_of_u_s_election_standards_and_best_practices_reportedly.html The vulnerabilities of the American electoral system don't stop at email hacks. As Reuters reports following the 8 Nov election the U.S. Election Assistance Commission, the very federal agency that is charged with testing and certifying state voting systems, was itself hacked. The hack was discovered by a cybersecurity firm that detected someone selling logins to the Election Assistance Commission on the black market. The Russian-speaking hacker had more than 100 logins for commission employees and was attempting to sell them for as little as a few thousands dollars to Middle Eastern countries. What is the potential fallout from such a breach? From Reuters: The election commission certifies voting systems and develops standards for technical guidelines and best practices for election officials across the country. Though much of the commission's work is public, the hacker gained access to non-public reports on flaws in voting machines. In theory, someone could have used knowledge of such flaws to attack specific machines, said Matt Blaze, an electronic voting expert and professor at the University of Pennsylvania. The researchers were confident that the hacker moved to sell his access soon after getting it, meaning that he was not inside the system before election day. The Election Assistance Commission issued a statement <https://www.eac.gov/eac_reports_potential_breach_of_web-facing_application/> Thursday evening on the breach: The EAC is currently working with Federal law enforcement agencies to investigate the potential breach and its effects. The EAC does not administer elections. State and local jurisdictions run elections. The EAC does not collect or store any personal information of voters. The EAC does not maintain voter databases. The EAC does not tabulate or store vote totals. [Ken Nitz also noted a TechCrunch item on that story. PGN] https://techcrunch.com/2016/12/15/the-government-body-that-oversees-the-security-of-voting-systems-was-itself-hacked/
The U.S. state of Georgia traces 10 cyberattacks to U.S. federal agency DHS (Dept of Homeland Security). Kentucky & West Virginia experienced similar attacks, confirmation uncertain. http://www.politico.com/story/2016/12/georgia-donald-trump-cyberattacks-dhs-232648 http://www.hannity.com/articles/election-493995/breaking-3-state-election-agencies-confirm-15397026/ http://www.wsbtv.com/news/local/more-states-confirm-cyber-attacks-sourced-to-dhs/476227320 http://www.wsbtv.com/news/georgia/georgia-secretary-of-state-says-cyberattacks-linked-back-to-dhs/475707667 [Since DHS was been stonewalling GA requests for clear explanations, maybe it is time for state of GA to issue a FOIA (Freedom of Information) request to DHS, and also request an IG (Inspector General) investigation.] Possible explanations: * DHS, and other US fed agencies, are authorized to do white-hat penetration tests of organizations they are supposedly regulating, but such tests should be promptly followed up with notification to the tested sites what they did why, and any problems they found. With large government agencies, there can be break downs in communications. * Some hackers manage to disguise their attacks, so they appear to come from some place else (spoofing). * IGs (Inspectors general) have found vulnerabilities in many government systems. Crooks often exploit one place, then use its connections to others, to also penetrate the others. This could be the beginnings of a breach, where DHS has been hacked to support such attacks. * The dates of the attacks indicate this may be part of the alleged hacking of 2016 election. In related news, a growing number of members, of the US Electoral College are demanding an intelligence briefing about what the CIA found out about possible Russian interference in the US 2016 election, before they can do their job. If their request is denied, that's maybe enough to cause Donald Trump to not win the election, and move the decision to US House of Representatives. http://www.politico.com/story/2016/12/electoral-college-members-intel-briefing-232554 http://thehill.com/blogs/blog-briefing-room/news/310220-electoral-college-members-demanding-briefing-on-russian http://thehill.com/homenews/campaign/310316-over-50-dem-electors-sign-letter-calling-for-intelligence-briefing Alternatively, this could delay the Electoral College deciding 2016 election, originally scheduled for 19 Dec 2016. http://thehill.com/homenews/campaign/310381-house-dem-wants-electoral-college-vote-delayed-until-after-intelligence
[via Dave Farber, who previously noted this URL:] http://www.bbc.com/news/technology-37590375 A chilling story indeed. But I think the key paragraph is this one: It was a race against time—more systems were corrupted with every passing minute. Any substantial delay would have led satellite distribution channels to cancel their contracts, placing the entire company in jeopardy. In other words, it was customers canceling contracts that was the ultimate threat to the company. This particular story thus indicates the value of destructive cyberattacks in prompting or instigating large-scale reaction that can amplify by many times the effect of any given attack. An interesting question arises—did the attackers know in advance that their attack would place the very economic survival of the company at risk? Or had they *merely* intended wreak havoc that they expected would have only short term effects? Was the existential nature of threat to the company just fortuitous from their perspective? If the first (they knew in advance), it seems like an exercise in predicting second order effects—this time, second order effects that are psychological, legal, and economic in nature, rather than technical. That's a significant expansion of the space that planners of an attack must account for—and defenders too. Senior Research Scholar, Center for International Security and Cooperation Research Fellow, Hoover Institution, Stanford University
Herb Lin's comments spotlight a force multiplier effect when psychological, legal and economic boundaries are crossed. However, we should remain vigilant of *any* use of cyberweaponry. If DDOS attack sources can be taken as a proxy indicator for bad guy geography, may I suggest there's nothing unique about attacks from Russia. http://www.digitalattackmap.com/#anim=1&color=1&country=ALL&list=2&time=17153&view=map Building Walls is a failed doctrine, not worth revisiting. Building Verified Trust infrastructure is a better doctrine. To paraphrase Thomas Friedman's recent book *Thank You for Being Late*, "Verified Trust is the best performance enhancing drug on the market. Mere Trust is an anachronism. It means Lack of Knowledge. The world needs frameworks for new rules to [e]nsure access to Verified Trust. https://www.kirkusreviews.com/book-reviews/thomas-l-friedman/thank-you-for-being-late/
If you are an Evernote customer, with notes you want to keep confidential, perhaps you better learn how to encrypt them, using an encryption system other than one supplied by Evernote. Some notes may be related to development of something needing intellectual property protection & you not want Evernote employees to get it protected before you, or open a competitor effort. Quite possibly many similar services have spied on their customers, and not yet revealed that fact. Evernote updates its privacy to let its employees read the notes of Evernote customers. They cannot opt out of this. https://help.evernote.com/hc/en-us/articles/235660588 http://www.pcworld.com/article/3150479/security/bye-privacy-evernote-will-let-its-employees-read-your-notes.html http://www.gsmarena.com/evernote_updates_its_privacy_policy_to_allow_employees_to_read_your_notes_and_you_cant_opt_out_of_th-blog-22185.php http://www.forbes.com/sites/thomasbrewster/2016/12/14/worst-privacy-policy-evernote/#33bb8351977c
http://arstechnica.com/security/2016/12/home-routers-under-attack-in-ongoing-malvertisement-blitz/
http://arstechnica.com/security/2016/12/millions-exposed-to-malvertising-that-hid-attack-code-in-banner-pixels/
http://arstechnica.com/security/2016/12/unpatched-bug-allows-hackers-to-seize-control-of-netgear-routers/
http://www.wsj.com/amp/articles/tech-in-cars-what-happens-when-the-wheels-outlast-the-wireless-1481976000 [Wheel just have to learn to use sneakernets, or else sneakers! PGN]
via NNSquad http://motherboard.vice.com/read/the-fcc-just-approved-a-landmark-new-way-for-deaf-people-to-communicate As a result of the FCC's action, the nation's wireless carriers and device manufacturers will be required to support RTT functionality, which allows real-time text messaging--without the need to hit "send"--in which the recipient can instantly see letters, characters and words as they are being typed. "We now have the opportunity--as we design our new communications system that is based on internet-protocol--to finally make our nation's communications systems accessible to everyone," FCC Chairman Wheeler said at the agency's monthly meeting last Thursday. This innovation will facilitate more natural, conversation-friendly communication for deaf and hard of hearing people--without the need for separate, specialized hardware. It will also allow 911 operators to receive incomplete messages during an emergency, potentially saving lives. RTT technology is expected to be interoperable across wireless networks and devices, creating the potential for unprecedented ease of communication between deaf and hearing people.
This is a bad idea even when the system is not cracked or otherwise technically insecure. What happens if an emergency vehicle comes up from behind? What happens if a rogue driver (intentionally or because of, oh I dunno, a stroke) drives straight at the stalled vehicle? Of course, there are already drivers who turn off their engines at traffic lights. IMAO that's a bad idea already, but at least those drivers _actively_ do so, and are therefore aware that they did. Now imagine that a driver tries to get out of the way of an incoming vehicle, and finds that his car has turned itself off without his active intervention... which of us would _not_ panic and do the wrong thing? I know I probably would! Of course, Elon Musk c.s. will say, the solution is to fit all emergency vehicles with an automatic get-your-car-out-of-the-way WiFi signal. What could go wrong? Well, even ignoring _other_ reasons to want to move promptly, how would we guarantee that all emergency vehicles in all countries in which these cars are sold use the same system? And how do we guarantee that the signal is not interrupted? It's pretty damn hard to interrupt a siren, but a WiFi signal? I have no problem with "giving drivers the information they need". When it comes to "bypassing the driver"... bad idea even in a crackerless world.
I have seen or heard news reports that suggest an *additional* billion accounts were hacked (although not The NY Times article referenced). No doubt many if not most of the 500 million accounts hacked in the second (chronologically) hack were included in the 1 billion accounts hacked in the first incident—though presumably by different people.
See the fifth item in the "Interview with Charles Delavan on Podesta's e-mail" (Slate, on an IT Authority in a high-placed organization approving the opening of a phish that did become somewhat phamous. I have simplified my instructions to the occasional person that respects my experience and expertise in the matter of malicious email. "If you feel the need to stop and think about opening something of the need to ask somebody if they think you should open|react to|respond to it, the answer is "No. Delete it (via a "spam" reporting facility if available). If your account is in fact in trouble, do nothing can not make it worse. The next time you access the account in the normal routine of things you will be notified of the problem and probably referred to a telephone number for assistance."
I agree with Burton, and like his insights. However, I don't think Weinstein's idea of assessing the credibility of linked pages is a reasonable option for Google. Google is a running popularity contest, not a research tool. Pages which are popular will more likely be satisfying to others looking for them. The model they use in their business is much more successful than the previous, manually curated page ranking system used by their predecessors. Since it's a popularity contest, not a judgment, they can claim that they're only providing information from others, not making value determinations themselves. (I ignore, for now, the ways in which an algorithm such as theirs can introduce or amplify bias.) Google could have difficulty ranking based on some definition of "truth": they might risk legal liability toward those who considered themselves unfairly judged. Their approach, claiming that they make no judgments and have no biases, and keeping the algorithm secret to protect themselves from attacks, is a logical one which minimizes their own risk. As soon as they were to claim to measure the "truth" level of a site, or even to offer an "unbiased" list of the common arguments on the "top ten" or "most controversial" topics, they'd open themselves up to attack. I see the risk here, given all of the debate, that Congress might enact laws to create some kind of system similar to that of credit rating agencies, which would nullify the common law bases for liability for slander and libel. If a credit rating agency gets your credit report wrong, you have to go through some procedure to get it changed. But they aren't liable for damages occasioned by the negligence. Under common law, even repeating a libelous or slanderous statement is, by itself, libelous or slanderous, so there is an incentive to be careful to avoid repeating erroneous data. Under common law, if they make mistakes or are negligent, they would have to pay for the damage, but the statutory law and administrative regulations give them a safe harbour. They have only a small incentive to avoid errors: as long as their reports are "mostly" accurate, they don't lose business. (Compare with the national crime database, replete with errors, and with no incentive to correct them. I've met two people who each spent some time in jail due solely to errors in that database.) Suppose that Congress were to create a national agency to "rate" web sites based on their supposed accuracy. In its typical fashion, it would create an elaborate, unfair, and arduous appeal process to contest a bad rating, but it would also create a safe harbour for those who faithfully followed the ratings. By the time an erroneous, bad rating was corrected, it usually would be too late to do any good, and with the safe harbour there would be no incentive to get it right in the first place. The foregoing presupposes that there is, anyway, an acceptable, scientific, unbiased method to determine the truthfulness of a site's content. As for the Holocaust deniers, well, I've known too many guys with numbers tatooed on their forearms for me to accept that line. On the other hand, I see no safe way to create our own incorruptible Reichsministerium für Volksaufklärung und Propaganda. It would end up hiding the atrocities committed against the Palestinians and the genocide against the indigenous peoples and others. Should we not also warn against those who deny the Native American Holocaust, or the estimated hundreds of millions who died as a direct result of colonialism and the slave trade, or those deaths caused by neocolonialism, or those killed by environmental toxins and destruction? Each of these tolls is more than six million, do they also not deserve a place in the warning system? What about deaths due to climate change? These all have their deniers. Where should this end? Who will decide? No institution or institutionalized mechanism is beyond error or even beyond malice. It would be like the lie which says that we have a "government of laws". Yes, we have laws, but men and women decide which ones to enforce, and against whom. The only "fair" approach I can envision is one that allows each search customer to choose a rating mechanism, or none at all. (In truth, the searchers are the product, delivered to advertisers, they are not the customers, but let's not quibble.) For example, if I were to belong to the Church of the Living Yogurt Culture, and were to trust their view of things, then I should be able to enable some Church-provided script which would show a Yogurt Score alongside each result. A little coordination and a few browser plugins should do it. A different customer doing the same search but belonging to the Pterodactyl Temple would get his own institution's rating, instead. With a selectable rating system, the various competing offerings would have to earn the trust of potential users, and accuracy and truth might become valuable coins. Their success might be highly dependent upon their reputations, so there'd be a big risk to lying even a little. The cigarette people wouldn't admit that their product might cause harm, but eventually they were compelled to put a warning on their packages, telling of the risks of smoking. Studies have shown that the warning has been significantly effective in reducing smoking. Maybe we could try for a warning message with search engines. My modest proposal: WARNING: Search results are based in part on the popularity of pages and do not necessarily reflect the truth or falsehood of the contents of those pages. Furthermore, the position of pages is subject to manipulation by various techniques known to be employed by domestic and foreign governments, corporations, special interest groups, individuals, and businesses offering what is known as "search engine optimization (SEO)" services. We ourselves may employ algorithms, confidential to us, and for our own reasons, which might affect the position of pages in the search results. Neither we nor any of them are under any obligation whatsoever to tell you the truth. These search results are provided for entertainment purposes only, 'as is' without warranty of any kind, expressed or implied, including, but not limited to, the IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. You may have other rights under the law in specific jurisdictions, and are advised to consult an attorney, but be advised that attorneys, too, have been known to prevaricate. Moreover, the law requires us to act in the best interests of our shareholders, and sometimes it is in their best interests for us to hide the truth. [Additional warning about selling personal information and tracking data is probably too much off-topic, so I'll omit it.] As for any kind of Ministry of Truth to rate the veracity or accuracy of web sites, whether that Ministry be commercial or governmental or non-profit, I believe it's fair to say that such an idea ought obviously to be viewed as a non-starter, except in some backward countries such as... oh, never mind.
The biggest risk—as you note—is that governments will move into this space, which strongly suggests that proactive actions by these firms to more appropriately deal with these issues—as I have suggested *and as Facebook has just announced it is deploying*—are the best approaches to avoid heavy-handed Ministries of Truth. But I again assert that the status quo is not tenable. Fake news sites are leveraging Google's lack of ANY labeling along the lines I've suggested—and AdSense—to turn lies into lucrative income streams doing enormous damage. Eventually the pushback will reach a level where dangerous kneejerk reactions by government are inevitable, unless policies are improved proactively now.
Lauren, I suspect you mean Google policies are needed and hopefully not public policies, which are likely to be a poor fit. I agree in this case, particularly with fake news in AdSense. I'm concerned the line between superfluous goods made to seem like we need them and deceptive content made to look like news worth consuming is a fine line for google policy. The holocaust denier page was a web page. If it had AdSense (I admit I refused to visit it) then an ad may well get many views and clicks. But I'm sure it breaks laws in several countries to profit from hate let alone make it searchable in the first place. The solution is vigilance, but I can see only a kind of manual reporting list like sorbs [Spam and Open Relay Blocking System], with its concomitant mistaken or malicious blocks. The proper policies would be great, but they would need to be enforced.
Government actions in this sphere are the worst case outcomes. Proactive actions by the firms involved *may* help to forestall at least some of these and perhaps the worst of them.
https://www.theguardian.com/technology/2016/dec/17/holocaust-deniers-google-search-top-spot
That [Guardian] article is confusing ads (which are always marked as such on Google Search results pages) with organic results (which are not influenced by ads). So his creating an ad insert says nothing at all about the organic results, which are what are actually at issue here. [OK. I'm going to try to blow the whistle on this thread, even though it is still computer-related. Diminishing returns? PGN]
Please report problems with the web pages to the maintainer